- No
.env, Composer, Docker, Git, or project files are rewritten by diagnostics.
composer install, composer update, Composer scripts, internet audits, Docker lifecycle commands, and destructive Git actions are not run.- Port commands may suggest
kill -TERM or taskkill, but never execute them.
devdoctor init is the only writing command and requires preview plus confirmation unless it is in --dry-run mode.- Hints, fix suggestions, JSON, SARIF, and config preview output pass through redaction for sensitive-looking values.